gurcu | a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25-05-2023 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe
Size

1.0MB
MD5

8ac6fad1621e8dc2439c86fd3469eb03
SHA1

73439f9abb74eee90fd881f8584fe35930dadec3
SHA256

a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30
SHA512

75077e9a736eae3c70a72ceabb7baa110a7b1df2457cff7247f5ec42e3514c51ea6cba88ff44a63e82277b5c94c68345d6004530b3adcd0cb7568a13b605e82a
SSDEEP

24576:6yP3pZiOTVnDk3+fpSiE1ITGI+LSGWztQHbco9Bwz+5T4trl/hwNP7:BP33iORnD9RJEn5S7tWpBwkKRy

Score

10^/10

gurcu redline fash lina collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lina

83.97.73.122:19062

Attributes

auth_value
13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

83.97.73.122:19062

Attributes

auth_value
dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
2324	z6836274.exe
2416	z4244038.exe
2900	o4089572.exe
4288	p8997176.exe
2468	r2714663.exe
4928	s2015415.exe
3736	s2015415.exe
4776	legends.exe
3176	legends.exe
1240	k2.exe
2392	k2.exe
3728	k2.exe
3740	legends.exe
4316	legends.exe
3996	legends.exe
2176	legends.exe
4020	legends.exe
5072	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
4516	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6836274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6836274.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4244038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4244038.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 3976	2900	o4089572.exe	70
PID 2468 set thread context of 4640	2468	r2714663.exe	75
PID 4928 set thread context of 3736	4928	s2015415.exe	77
PID 4776 set thread context of 3176	4776	legends.exe	79
PID 3740 set thread context of 4316	3740	legends.exe	101
PID 3996 set thread context of 5072	3996	legends.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4672	2392	WerFault.exe	96
4956	3728	WerFault.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2300	schtasks.exe
4132	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3976	AppLaunch.exe
3976	AppLaunch.exe
4288	p8997176.exe
4288	p8997176.exe
4640	AppLaunch.exe
4640	AppLaunch.exe
2392	k2.exe
3728	k2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	AppLaunch.exe
Token: SeDebugPrivilege	4288	p8997176.exe
Token: SeDebugPrivilege	4928	s2015415.exe
Token: SeDebugPrivilege	4776	legends.exe
Token: SeDebugPrivilege	4640	AppLaunch.exe
Token: SeDebugPrivilege	1240	k2.exe
Token: SeDebugPrivilege	2392	k2.exe
Token: SeDebugPrivilege	3728	k2.exe
Token: SeDebugPrivilege	3740	legends.exe
Token: SeDebugPrivilege	3996	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3736	s2015415.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2324	1064	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe	66
PID 1064 wrote to memory of 2324	1064	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe	66
PID 1064 wrote to memory of 2324	1064	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe	66
PID 2324 wrote to memory of 2416	2324	z6836274.exe	67
PID 2324 wrote to memory of 2416	2324	z6836274.exe	67
PID 2324 wrote to memory of 2416	2324	z6836274.exe	67
PID 2416 wrote to memory of 2900	2416	z4244038.exe	68
PID 2416 wrote to memory of 2900	2416	z4244038.exe	68
PID 2416 wrote to memory of 2900	2416	z4244038.exe	68
PID 2900 wrote to memory of 3976	2900	o4089572.exe	70
PID 2900 wrote to memory of 3976	2900	o4089572.exe	70
PID 2900 wrote to memory of 3976	2900	o4089572.exe	70
PID 2900 wrote to memory of 3976	2900	o4089572.exe	70
PID 2900 wrote to memory of 3976	2900	o4089572.exe	70
PID 2416 wrote to memory of 4288	2416	z4244038.exe	71
PID 2416 wrote to memory of 4288	2416	z4244038.exe	71
PID 2416 wrote to memory of 4288	2416	z4244038.exe	71
PID 2324 wrote to memory of 2468	2324	z6836274.exe	73
PID 2324 wrote to memory of 2468	2324	z6836274.exe	73
PID 2324 wrote to memory of 2468	2324	z6836274.exe	73
PID 2468 wrote to memory of 4640	2468	r2714663.exe	75
PID 2468 wrote to memory of 4640	2468	r2714663.exe	75
PID 2468 wrote to memory of 4640	2468	r2714663.exe	75
PID 2468 wrote to memory of 4640	2468	r2714663.exe	75
PID 2468 wrote to memory of 4640	2468	r2714663.exe	75
PID 1064 wrote to memory of 4928	1064	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe	76
PID 1064 wrote to memory of 4928	1064	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe	76
PID 1064 wrote to memory of 4928	1064	a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe	76
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 4928 wrote to memory of 3736	4928	s2015415.exe	77
PID 3736 wrote to memory of 4776	3736	s2015415.exe	78
PID 3736 wrote to memory of 4776	3736	s2015415.exe	78
PID 3736 wrote to memory of 4776	3736	s2015415.exe	78
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 4776 wrote to memory of 3176	4776	legends.exe	79
PID 3176 wrote to memory of 4132	3176	legends.exe	80
PID 3176 wrote to memory of 4132	3176	legends.exe	80
PID 3176 wrote to memory of 4132	3176	legends.exe	80
PID 3176 wrote to memory of 1044	3176	legends.exe	81
PID 3176 wrote to memory of 1044	3176	legends.exe	81
PID 3176 wrote to memory of 1044	3176	legends.exe	81
PID 1044 wrote to memory of 204	1044	cmd.exe	84
PID 1044 wrote to memory of 204	1044	cmd.exe	84
PID 1044 wrote to memory of 204	1044	cmd.exe	84
PID 1044 wrote to memory of 216	1044	cmd.exe	85
PID 1044 wrote to memory of 216	1044	cmd.exe	85
PID 1044 wrote to memory of 216	1044	cmd.exe	85
PID 1044 wrote to memory of 2144	1044	cmd.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2.exe

C:\Users\Admin\AppData\Local\Temp\a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe
"C:\Users\Admin\AppData\Local\Temp\a9835541871cdb7d208f6a74c062d14f9ca8a7306eca42efae114ee298fdca30.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6836274.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6836274.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4244038.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4244038.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4089572.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4089572.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8997176.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8997176.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4288
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2714663.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2714663.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4132
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        7⤵
        
        PID:1856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4092
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:2604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
        
        "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2392 -s 2980
        9⤵
        Program crash
        
        PID:4672
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4516

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3728 -s 3088
  2⤵
  - Program crash
  PID:4956

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3740
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4316

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3996
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000033001\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2015415.exe

Filesize
962KB

MD5
927280512d71bdb87f4b81a2d65c5354

SHA1
52f217c5e23d57e1647299177e360b40d922cada

SHA256
39a3a0b3d9d154403bd886e0a380effc49cf793e62a13dd737a908b7b5d9cc06

SHA512
fc452903a74632eb6f6197a0e237a8557c3fc8831b549e87de37c89c38ab2d48c7b63a7cba0990f205bbde010c49410695ba16e476bbd589e6d94b53ec434ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6836274.exe

Filesize
596KB

MD5
39c6e32749a0cd1a7b8c52e86779de4e

SHA1
7407db4685b19ce585347ae6f648bca2c2013834

SHA256
63e2dff812d89ea806dadb8d2e16e5edba91aab9d0887a1f322ee39255cccbfb

SHA512
b5011a33be5271720bf289637569befcc9e7caf2482ae143a6e414d7843e492c370c3d67aa22d6cd039d14c174b7b864b8df39c02f60a4ff7c477d0677bfd574

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6836274.exe

Filesize
596KB

MD5
39c6e32749a0cd1a7b8c52e86779de4e

SHA1
7407db4685b19ce585347ae6f648bca2c2013834

SHA256
63e2dff812d89ea806dadb8d2e16e5edba91aab9d0887a1f322ee39255cccbfb

SHA512
b5011a33be5271720bf289637569befcc9e7caf2482ae143a6e414d7843e492c370c3d67aa22d6cd039d14c174b7b864b8df39c02f60a4ff7c477d0677bfd574

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2714663.exe

Filesize
322KB

MD5
4efe09bcc319c8feea5c193f9c5c6974

SHA1
6e8d4ca3674edfc5eb22e6b02530a957d4810c26

SHA256
aff14afddb0d859beb43530e437880cd32c0db322fb51cde4eeb9fa5fad53f0a

SHA512
ea2561ea2485d4151ae91aebfe4412088521a0454d5597e95054df947761326e6d9a5b3f6b096b7fa60b1d6bf1ca2fb4bec45d24b57c4a8a79d4f7e5398292b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2714663.exe

Filesize
322KB

MD5
4efe09bcc319c8feea5c193f9c5c6974

SHA1
6e8d4ca3674edfc5eb22e6b02530a957d4810c26

SHA256
aff14afddb0d859beb43530e437880cd32c0db322fb51cde4eeb9fa5fad53f0a

SHA512
ea2561ea2485d4151ae91aebfe4412088521a0454d5597e95054df947761326e6d9a5b3f6b096b7fa60b1d6bf1ca2fb4bec45d24b57c4a8a79d4f7e5398292b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4244038.exe

Filesize
277KB

MD5
17ec704b8d155a1b9d09f1f958356370

SHA1
d6858370fad002485fb8489acdb8996bfb662321

SHA256
84d132449203326d4dcf5e96cf06042573e1e31327656f10b38b53195ade7e96

SHA512
71b3f0d7f5fea914c9543ea4f66812fd6a80081d4091dc4ef10b430700341282aa4512286ba60bff71e6e3fa4a72f02899cf0475d9ae706065169db1b4aa4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4244038.exe

Filesize
277KB

MD5
17ec704b8d155a1b9d09f1f958356370

SHA1
d6858370fad002485fb8489acdb8996bfb662321

SHA256
84d132449203326d4dcf5e96cf06042573e1e31327656f10b38b53195ade7e96

SHA512
71b3f0d7f5fea914c9543ea4f66812fd6a80081d4091dc4ef10b430700341282aa4512286ba60bff71e6e3fa4a72f02899cf0475d9ae706065169db1b4aa4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4089572.exe

Filesize
188KB

MD5
a83bf84f464e2f28601d77282602be3f

SHA1
f226227f491899c9c4954a2fd5ce43a5537a17e7

SHA256
b206e5c77b2c7244cdb11bd3632e3c4375e7063ce9b14c3f0f56bb6b3357c742

SHA512
3fbb21a87959791a6b0cb62ece63234baf50c7a40d1fc063ed88f9b022b6fadb1dd28e0945d1bf36fe64509267e70fa2715b4be470a2235dc0dc5ebb050a6b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4089572.exe

Filesize
188KB

MD5
a83bf84f464e2f28601d77282602be3f

SHA1
f226227f491899c9c4954a2fd5ce43a5537a17e7

SHA256
b206e5c77b2c7244cdb11bd3632e3c4375e7063ce9b14c3f0f56bb6b3357c742

SHA512
3fbb21a87959791a6b0cb62ece63234baf50c7a40d1fc063ed88f9b022b6fadb1dd28e0945d1bf36fe64509267e70fa2715b4be470a2235dc0dc5ebb050a6b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8997176.exe

Filesize
145KB

MD5
d17e6a2f7c2c32951b771e3a13cad5d6

SHA1
e41f7a76f8b46810674f10bf95b0a8d2429bd5f5

SHA256
ebf8ed8a2b5457d53d87fe049c44f3cc4f8d58aac00e75e17fb24f7681acf81b

SHA512
f9fc52cd724b2f554335c530b06e44e8f29e8f1b33332d7ad9f000832a9112d2a7037c16b6745f837d90630e797833a55e663cdd91e6d84e0f6e7f29b31f76e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8997176.exe

Filesize
145KB

MD5
d17e6a2f7c2c32951b771e3a13cad5d6

SHA1
e41f7a76f8b46810674f10bf95b0a8d2429bd5f5

SHA256
ebf8ed8a2b5457d53d87fe049c44f3cc4f8d58aac00e75e17fb24f7681acf81b

SHA512
f9fc52cd724b2f554335c530b06e44e8f29e8f1b33332d7ad9f000832a9112d2a7037c16b6745f837d90630e797833a55e663cdd91e6d84e0f6e7f29b31f76e5

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

Filesize
4B

MD5
a3f61f3a8034cbfb5ecf0d785e750fb3

SHA1
0dc0aa67a8832112a3ab235633b0331b104d85de

SHA256
36ac58bc96ad6e60c9b13685942dd4a436a6064dc7d123b7a99d3656abe861a2

SHA512
5f7b9c4e521ab1d35fe2c831d7ca9fb6550f7a3499d7ed130e70d102ae66707754e928fdd514a692a18942201019c5f57883a74853aa11c48973d46dd8305794

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/1240-385-0x000001CE92EA0000-0x000001CE92F3A000-memory.dmp

Filesize
616KB

Download
memory/1240-386-0x000001CEAD6B0000-0x000001CEAD6C0000-memory.dmp

Filesize
64KB

Download
memory/2392-394-0x0000025D7EF60000-0x0000025D7EF70000-memory.dmp

Filesize
64KB

Download
memory/2392-397-0x0000025D7EF60000-0x0000025D7EF70000-memory.dmp

Filesize
64KB

Download
memory/3176-364-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3176-428-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3176-365-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3176-367-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3176-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3176-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3176-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3728-410-0x000002033F940000-0x000002033F950000-memory.dmp

Filesize
64KB

Download
memory/3728-399-0x000002033F940000-0x000002033F950000-memory.dmp

Filesize
64KB

Download
memory/3736-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3740-403-0x0000000007950000-0x0000000007960000-memory.dmp

Filesize
64KB

Download
memory/3976-140-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/3996-432-0x00000000075D0000-0x00000000075E0000-memory.dmp

Filesize
64KB

Download
memory/4288-186-0x0000000006E60000-0x0000000006EB0000-memory.dmp

Filesize
320KB

Download
memory/4288-151-0x0000000000EE0000-0x0000000000F0A000-memory.dmp

Filesize
168KB

Download
memory/4288-187-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4288-160-0x0000000005910000-0x000000000595B000-memory.dmp

Filesize
300KB

Download
memory/4288-185-0x0000000006D90000-0x0000000006E06000-memory.dmp

Filesize
472KB

Download
memory/4288-184-0x0000000007730000-0x0000000007C5C000-memory.dmp

Filesize
5.2MB

Download
memory/4288-183-0x0000000007030000-0x00000000071F2000-memory.dmp

Filesize
1.8MB

Download
memory/4288-152-0x0000000005CB0000-0x00000000062B6000-memory.dmp

Filesize
6.0MB

Download
memory/4288-172-0x0000000006680000-0x0000000006712000-memory.dmp

Filesize
584KB

Download
memory/4288-153-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/4288-154-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/4288-155-0x00000000057B0000-0x00000000057EE000-memory.dmp

Filesize
248KB

Download
memory/4288-167-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4288-166-0x00000000067C0000-0x0000000006CBE000-memory.dmp

Filesize
5.0MB

Download
memory/4288-161-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/4316-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-408-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-407-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4640-193-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4640-210-0x0000000009020000-0x0000000009030000-memory.dmp

Filesize
64KB

Download
memory/4776-227-0x0000000006E50000-0x0000000006E60000-memory.dmp

Filesize
64KB

Download
memory/4928-205-0x0000000000150000-0x0000000000248000-memory.dmp

Filesize
992KB

Download
memory/4928-211-0x0000000007030000-0x0000000007040000-memory.dmp

Filesize
64KB

Download
memory/5072-437-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-438-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-439-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download